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Abstract. Model checking properties are often described by means of finite automata. 
Any particular such automaton divides the set of infinite trees into finitely many classes, 
according to which state has an infinite run. Building the full type hierarchy upon this 
interpretation of the base type gives a finite semantics for simply-typed lambda-trees. 

A calculus based on this semantics is proven sound and complete. In particular, for 
regular infinite lambda-trees it is decidable whether a given automaton has a run or not. 
As regular lambda-trees are precisely recursion schemes, this decidability result holds for 
arbitrary recursion schemes of arbitrary level, without any syntactical restriction. 



1. Introduction and Related Work 

The lambda calculus [5j has long been used as model of computation. In its untyped 
form it is Turing complete. Even though models of the untyped lambda calculus are known, 
restricting it to a typing discipline allows for more specific models. The simply-typed lambda 
calculus has a straight forward set-theoretic semantics. 

Quite early on, not only finite but also infinite lambda-terms have been considered. For 
example, Barendregt [5] introduced the concept of "Bohm trees" as a generalised concept 
of normal forms for lambda-terms where normalisation does not necessarily terminate, but 
still might produce a growing normal prefix; for example the term Y{Xzx.xz) has the Bohm 
tree Xx.x{Xx.x{Xx.x . . .)). 

Since Rabin [16] showed the decidability of the monadic second order (MSG) theory of 
the infinite binary tree this result has been applied and extended to various mathematical 
structures, including algebraic trees ^ and a hierarchy of graphs [7j obtained by iterated 
unfolding and inverse rational mappings from finite graphs. The interest in these kind of 
structures arose in recent years in the context of verification of infinite state systems [13^ [T8] . 
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Recently Knapik, Niwinski and Urzyczyn [TO] showed that the monadic second order 
theory of any infinite tree generated by a level-2 grammar satisfying a certain "safety" 
condition is decidable. Later they generahsed [11] this result to grammars of arbitrary 
levels, but still requiring the "safety" condition. In particular, the question was left open 
whether a "safety" constraint is necessary to obtain decidability. In this article we will give 
a partial answer. 

It should be noted that trees given by higher-order grammars can also be understood 
as trees given by simply-typed infinite, but regular, lambda terms. The "safety" condition 
guarantees that beta-reduction can be carried out in such a way that variables never have to 
be renamed in the process of substitution. This obviously is a property related to operational 
aspects of computation. Our approach to avoid the need for such a restriction is therefore 
to search for a denotational semantics. Denotational approaches tend to be less vulnerable 
to the need of requiring specific operational properties. 

To obtain effective constructions, like an effective semantics, it is useful to have a 
concrete representation of the properties to be verified. Finite automata are a standard 
tool to do so. In this article we concentrate on automata with trivial acceptance condition. 
These automata do not exhaust the full of MSO but, as we shall see, are able to express a 
reasonable set of safety properties. 

Their advantage, however, is that they seem particularly suited for a denotational 
approach. The reason is, that the "interface" is particularly simple. In order to combine 
two partial runs into a longer run, the only thing we have to look at is the state in which 
the automaton arrives. 

Based on this intuition we construct a semantics for the simple types. Actually, we 
use the standard set-theoretic semantics. Hence the only thing we have to specify is the 
interpretation of the base type. Following the discussion above, we describe a term of base 
type by the set of states a given automaton can start a run on the tree denoted by that 
term. 

More precisely, we consider the following problem. 

Given a, possibly infinite, simply-typed lambda-tree t of base type, and given 
a non-deterministic tree automaton 21. Does 21 have a run on the normal 
form of t? 

The idea is to provide a "proof" of a run of 21 on the normal form of t by annotating each 
subterm of t with a semantical value describing how this subterm "looks, as seen by 21". 
Since, in the end, all the annotations come from a fixed finite set, the existence of such a 
proof is decidable. 

The idea of a "proof" that a given automaton has a run on a tree is used, at least im- 
plicitly, in the work by Aehlig, de Miranda and Ong [1] . This work also gives an affirmative 
answer to the question of the decidability for the full MSO theory for trees generated by 
level- two recursion schemes. 

Very recently, simultaneously and independently, Luke Ong could give an affirmative 
answer [15] for trees generated by recursion schemes of arbitrary level, still deciding the full 
MSO theory; he thus obtained a stronger result in what concerns decidability. His result is 
based on game semantics [9j and is technically quite involved. Therefore the author believes 
that his conceptually more simple approach still is of worth. Moreover, the novel finitary 
semantics for the simple types introduced in this article, and the sound and complete proof 
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system to show the existence of a run of an automaton seem to be of independent interest. 
An extended abstract [Ij of this article appeared in the proceedings of CSL '06. 

This article is organised as follows. In Section [2] we formally introduce automata with 
trivial acceptance condition and study their languages. We also prove the closure of these 
languages under the modality "globally" . We also show that properties based on the modal- 
ity "eventually" are not expressible. In Section [3] we introduce infinitary simply-typed 
lambda trees and in Section H] we introduce recursion schemes as a means to describe regu- 
lar lambda trees. This also shows that some lambda trees have a representation that is not 
only effective, but also quite natural. In Section [5] we explain continuous normalisation for 
the lambda calculus. The use of continuous normalisation is twofold. On the one hand, it 
allows simpler definitions and proofs, as one layer of input corresponds precisely to one layer 
of output. On the other hand, it is simply a necessity in order to have a well-defined normal 
form in the presence of non-terminating computations due to the infinitary nature of our 
lambda trees. Section [6] introduces the finitary semantics and the proof system; Sections [7] 
and [8] are devoted to the proofs of its soundness and completeness. Finally, in Section [9l 
we put the results together to obtain the mentioned decidability result. 

2. Automata with Trivial Acceptance Condition 

We assume a set of letters or terminals be given to us as a primitive notion. We use f 
to range over letters. Each letter f is associated an arity (J(f) € N. 

Definition 2.1. For S a set of terminals, a T,-term is a, not necessarily well-founded, tree 
labelled with elements of S where every node labelled with f has (j(f) many children. 

A T,-language is any subset of the set of all S-terms. We use the term language if S is 
understood. 

Example 2.2. Let E' = {f , g, a} with f , g and a of arities 2, 1, and 0, respectively. Figured] 
shows two S '-terms. 

Definition 2.3 (Trivial Automata). A non-deterministic tree automaton with trivial ac- 
ceptance condition over the alphabet S, or a "trivial automaton" for short, is given by 

• a finite set Q of "states" , 

• a set I C Q of "initial states", and 

• a transition function 6: Q xT.^ ^{{Q U {*})^). 

Here N = max{tt(0) | € S} is the maximal arity and we require 6{q, g) C Q"*-^^ x 
whenever q £ Q and G S. 

Definition 2.4 (Run of a Trivial Automaton). If t is S-term, and 21 a trivial automaton 
over S, then a run (also "an infinite run") o/2t on t starting in state g is a mapping r from 
the nodes of t to Q, such that the root is mapped to q, and, whenever p is a f-labelled node 
in t and pi, . . . ,Pjj(f) are the children of p, then {r{pi), . . . , r(pjj(f)), *,...,*) G 6ir{p), f). 

A run up to level n starting in state g is a mapping from all nodes of t with distance 
at most n to Q such that the above condition holds for all nodes p in the domain of r, 
i.e., whenever a node p is f-labelled and its children pi, . . . ,Pjj(f) have distance at most n to 
the root, then (r(pi), r(pjj(f)), *) G (5(r(p),f). 

A run or a run up to level n, is a run or a run up to level n starting in some initial 
state. 
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Figure 1: Two {f , g, a}-terms. 



We write 21, q t to denote that 21 has a run on t up to level n starting in state q. 
We write 21, q t to denote that 21 has a run on t starting in state q. We write 21 \='^ t 
to denote that 21 has a run up to level n on t and we write 21 t to denote that 21 has a 
run on t. 

Remark 2.5. Trivially, every automaton has a run up to level on every term starting in 
every state. Also immediate from the definition we see that, if 21 has a run up to level n on 
t and m < n then 21 has a run up to level m on t. 

Remark 2.6. By Konig's Lemma 21 has a run on t if and only if 21 has a run up to level n 
on t for every n G N. 

Example 2.7. Continuing Example 12.21 consider the property 

"Every maximal chain of letters g has even length" . 
It can be expressed by an automaton with two states Q = {q2,Qi} where q2 means that 
an even number of gs has been passed on the path so far, and qi means that the maximal 
chain of gs passed has odd length. Then the initial state is q2 and the transition function 
is as follows. 

5(1, q2) = {iq2,q2)} S{f,qi) = 

S{g,q2) = {{qi,*)} ^{s,Qi) = {{Q2,*)} 

6{a,q2) = {(*,*)} <5(a,gi) = 

Note that this automaton has an infinite run on the second tree in Figure [U whereas it has 
a run only up to level 3 on the first one. 

Definition 2.8 (i2(2t)). If 21 is a trivial automaton over the alphabet S then by /^(2l) we 
denote the language of 21, that is, the set 

/:(2t) = {i I 2t t} 

of all terms t such that 2t has a run on t. 
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Proposition 2.9. There exists a trivial automaton that accepts a tree if and only if its root 
is labelled by the terminal f . 

Proof. Let qi be an all-accepting state, i.e., S{qi,Q) = {{qi, . . . , gi, *, . . . , *)} for all € S. 
Let go be tiie only initial state, and set 6{qo, f) = {{qi, . . . ,qi,*, . . . , *)} and S{qQ,Q) = for 
fly^f- □ 

Lemma 2.10. //2lo and'Qli are trivial automata, then there is a trivial automaton 21 with 
£(21) =/:(2lo)U£(2li). 

Proof. Let 21, have state set Qi, initial states li and transition 5i. Assume, without loss of 
generality, that Qq and Qi are disjoint. Then 2t is given by the following data. State set 
is Q = Qo L) Qi, initial states are / = /q U /i and the transition function 5 is defined by 
6{q,f) = 5^{q,i) for q (£Qi. □ 

Lemma 2.11. //2lo and 2li are trivial automata, then there is a trivial automaton 21 with 
£(21) =/:(2lo)n£(2li). 

Proof. Let 21^ have state set Qi, initial states li and transition 5i. Set Q = Qo x Qi, 
I = lo X h and define 5: (Qo x Qi) x E ^ ^{{Qo x Qi U {*})^) by S{iq,q'),j) = 
{((go, go) , • • • , (gtt(f) , gj(f) ),*,...,*) I (go, ••• , qm > • • •) e 5o(g, f) a (g^,, • • • , gj(f) , • • •) e 5i (g, f)}. 
Then Q, / and 5 define an automaton 21 as desired. □ 

Non-determinism immediately provides us with closure under projection of the alpha- 
bet; we'll give a precise definition of this property. 

Definition 2.12. If S and S are sets of terminals, a projection from S to T,, is a mapping 
vr: S ^ S such that tl(^(f)) = tt(f) for all f G S. If t is a S-term and vr is a projection from 
S to S, then by 7r(i) we denote the S-term that is obtained from t by replacing every label 
f by 7r(f). 

Remark 2.13. In Definition 12.121 the condition on the arity is necessary to ensure that 
7r(t) is a well-formed S-tree, i.e., every node g-labelled node has '^{q) many children. 

Lemma 2.14. IfT, and S are sets of terminals, tt is a projection from S to S, and 2t is a 
trivial automaton then there is a trivial automaton 2t7r such that 

£(21^) = {TT{t) I t G £(2l)} . 

Proof. Let 21 have state set Q, initial states / and transition 6. Then a possible automaton 
2l7r is given by the same set Q of states and the same set I of initial state, but with transition 
function (5,r defined by ^7^(5,0) = [j{6{q,f) \ f G S,7r(f) = g}. □ 

Another obvious closure property of the languages of trivial automata are the temporal 
"next" operators. 

Definition 2.15 (EX£, AX£). If £ is a language we define the languages 

EX£ = {fti . . . I 3i.t,eC} 

and 

AX/: = {fti . . . \ yi.ti£C} . 

Lemma 2.16. If ^ is a trivial automaton, then there exist trivial automata 21ex cLiT'd 21ax 
with £(21ex) = EX£(2l) and £(21ax) = AX£(2l). 
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Proof. To construct SIax, add a new state qo to the state set of 21. This new state will be 
the only initial state of SIax- Extend the transition function 6 by setting 

S{qo,f) = {{qi,-- • >9tt(f)'*' • • • • • • '9«(f) ^ ^} 

where I is the set of initial states of 21. 

To construct 21ex from 21 add a new state qo, which will be the only initial state of the 
new automaton, and add a new all-accepting state qf. Extend S by setting 

^{qo, f) = { {qi, qf---,qf,qf, *,■■■, *), 

{qf,qi...,qf,qf, *,...,*), 
{qf,qf . . . ,qi,qf,*,. . . ,*), 

{qf,qf ■■■,qf, qi, *,■■■,*) Wi e i} 

where I is the set of initial states of 21. □ 

Definition 2.17 {p G t, t\p, Path). We use p G t to express that p is a node in t. In this 
case we write t\p for the subterm of t whose root is p. 

A path in f is a maximal set P of nodes in t such that if a node p £ t different from 
the root is in P, then so is its parent, and such that for every node in P at most one of its 
children is in P. 

Remark 2.18. Immediately from the definition of a path we note that if P is a path in t 
and p P has a child in t then some child of p has to be in P. 

Definition 2.19. If £ is a language we define the languages 

EGC = {t I 3P{P path in t A Vp e P.t|p G C)} 

and 

AGC = {t\yp€ t.t\p £ C} . 

The next lemma states that the set of languages of trivial automata is closed under 
the modal operator "globally". On the one hand, this is an interesting closure property, 
which shows that at least safety properties can be expressed by trivial automata. On the 
other hand, it is worth looking at the proof of this lemma, as it shows, in a simple setting, 
all the central ideas that will be used to construct our finitary proof calculus and show its 
soundness and completeness. The states of the automaton 2tAG constructed in the proof 
of Lemma 12.201 should be thought of as annotations proving that 21 has a run starting in 
various states. 

Lemma 2.20. If ^ is a trivial automaton, then there exist trivial automata 2tEG o.^'d 2tAG 
such that C{^eg) = EG/:(2l) and C{^ag) = AG£(2l). 

Proof. Roughly speaking, the idea is to construct an alternating automaton that follows 
one path (for EG) or spawns through all nodes (for AG) and in each step spawns a new 
automaton that verifies that 21 was a run on the subtree starting at the current node. This 
alternation can be removed by a simple powerset construction. 

Formally, let 21 be given by the state set Q, the initial states / and the transition 
function 6. Define Qag = V{Q), Iac = {M G ^{Q) | M n I 0}, and 

<^AG(M,f) = {(Ml,..., Mj(f), *,...,*) I [Vg GM3(gi,...,gj(p, *,...,*) G(5(f,g) 

gi G Ml A . . . A G Mj(p ] 
A Vi(Mi n / / 0) } . 
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Let 21ag be the automaton given by this data. Intuitively, the first condition in the transition 
function ensures that every state in M can be continued to a run of 21, whereas the second 
condition ensures that a new run of 2t can be started at every node. 

To verify these properties first assume that t G AG>C(2l). For every node p € i set 
Mp = {(? G Q I 21, g Then the mapping p ^ Mp is a run of 2tAG on t. The first 

condition in the transition relation is fulfilled since every state that has a infinite run must 
be able to make a transition to new states that have an infinite run on the corresponding 
subtrees. The second condition is satisfied since t G AG>C(2l) guarantees that 21 has a run 
for every subtree; so at every subtree, some initial state has to have a run. 

Now assume to ^ 'C(21ag)- So there is a run r of 21 ag on Iq. We have to show that 
to £ AG£(2t). To do so, we show that for all trees t, all M £ Qac, if there is any run of 
21ag on t starting in M then for all n G N, it holds that e M.^,q |=" t\p. 

This indeed shows t G AG£(2l). By the properties of Iag and 6/\q we immediately get 
that for all p G to the set r{p) contains an element Qp G /. Applying the claim to to|p we 
obtain that 21 has a run, starting in Qp on t|p. 

So let us show the claim. We argue by induction on n. For n = there's nothing to show. 
So let n > 1 and q G M. Assume that t is of the form t = fti . . . t(j(f) and let Mi, . . . , Mj^^) the 
states of the run of 21ag at the children the root. Since (Mi , . . . , -Mjj(|) , . . .) G (5ag {M, f) there 
exist qi, . . . , gjjQ) such that (gi, . . . , q^(f), ■ ■ ■) G S{q,f) and qi G Mj. Applying the induction 
hypothesis to Mj and tj we get 21, qi |="~i ti. Together with the transition g i— > {qi, ■ ■ ■ ,qf) 
we get 21, q \=" t. 

The construction for 21eg is similar. □ 

Taking stock, we see that quite a few safety properties can be expressed by trivial 
automata. Proposition 12.91 and Lemmata l2.101 \2.11\ 12.161 and 12.201 show that the fragment 
of CTL given by the following grammar can be expressed by trivial automata. 

if, ip ::= f I 99 V '0 I 9? A -0 I EX(/9 | AX99 | EG(/9 | AG99 

Of course -if can be expressed by an appropriate disjunction over all the other letters of the 
alphabet. 

Even though this grammar probably does not exhaust all the properties expressible by 
trivial automata, it gives the right flair of the properties being safety properties. We will 
now show that the simplest liveness property, that is the "eventually" modality, cannot be 
expressed, not even for word languages. 

Definition 2.21 (Word Alphabet). An alphabet S is called a word alphabet, if all its letters 
f G S have arity [j(f) = 1. 

Remark 2.22. If S is a word alphabet, then the only S-terms are cj-words. 

Lemma 2.23 (Pumping Lemma for Trivial Automata over Words). Let % he a trivial 
automaton over a word alphabet S. Then there is a natural number n such that for every 
word w such that 21 w there is a prefix of w of the form uv with \uv\ < n and |f | > 1 
such that uv"^ G £(2l). 

Proof. Set n = \Q\ + 1 where Q is the set of states of 21. Let w = fofif2 • • • and assume 
21 w. Let the states qoqi . . . qn~i constitute such a run up to level n on w. Since 
IQI = n — 1 there must be < i < j < n such that qi = qj. Set u = fo...fi-i and 
V = fi . . . fj-i- Then qo . . . qi-i{qi . . . qj-i)^ constitutes a run on uv^ and u, v are as desired. 

□ 
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An immediate consequence is, that trivial automata cannot express the property "even- 
tually 6", as the following corollary shows. 

Corollary 2.24. The language L = a*b{a+b)^ is not the language of any trivial automaton. 

Proof. Suppose, for sake of contradiction, that C = £(21) for some trivial automaton 21 and 
let n be as asserted by Lemma r2.231 Consider a^ha^ G £ = >C(2l) and let u, v be as asserted 
by the lemma. Since uv is a prefix of a^ha^ of length at most n, both, u and v must consist 
of letters a only, and therefore the lemma asserts £ ^(21) = C which is not the case. □ 

3. Infinitary Lambda Trees 

Now let S' be a fixed set of letters and let f from now on only range over elements of 
S'. The choice of the name S' will become clear in Definition 15. 2^ when we have to extend 
the alphabet in the context of continuous normalisation. 

Definition 3.1. The simple types, denoted by p, a, r, are built from the base type l 
by arrows p ^ a. The arrow associates to the right. In particular, p l is short for 
Pi {p2 ^ {...{pn^ •••))• 

In the lambda calculus the most common way to from terms is via application. In 
lambda-trees application is represented by a binary @-node. In linear notation, we omit 
the "@" and write a tree consisting of an @-node at the root and subtrees s and t just as 
juxtaposition st. Application associates to the right, i.e., rst is short for {{rs)t). 

Definition 3.2. The infinitary simply-typed lambda-trees over typed terminals T,' are coin- 
ductively given by the grammar 

In other words, they are, not-necessarily well founded, trees built, in a locally type respecting 
way, from unary Ax^-nodes, binary ©-nodes representing application, and leaf nodes con- 
sisting of typed variables of type p and typed constants f G S' of type 6 — > . ^ . — > — > t. 

tt(f) 

Here Xx^ binds free occurrences of the variable x^ in its body. Trees with all variables 
bound are called closed. 

A lambda-tree with only finitely many non-isomorphic subtrees is called regular. 

We omit type superscripts if they are clear from the context, or irrelevant. 

We usually leave out the words "simply typed", tacitly assuming all our lambda-trees 
to be simply typed and to use terminals from T,' only. Figure [2] shows two regular lambda- 
trees. Arrows are used to show where the pattern repeats, or to draw isomorphic subtrees 
only once. Note that they denote terms (shown in Figure [I]) that are not regular. Here, by 
"denote" we mean the term reading of the normal form. 

Remark 3.3. It should be noted that in lambda-trees, as opposed to S'-terms, all constants 
and variables, no matter what their type is, occur at leaf positions. 

The reason is, that in a lambda-calculus setting the main concept is that of an applica- 
tion. This is different from first order terms, where the constructors are the main concept. 
Note that we use lambda-trees to denote S'-terms. As these are different concepts, even 
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Figure 2: Two regular lambda-trees with denotation being the {f ,g, a}-terms in Figured! 



normal lambda-trees differ from their denotation. For example the lambda-tree 




g a 



denotes the S'-term . 

a a 

4. Recursion Schemes as Means to Define Regular Lambda Trees 

The interest in infinitary lambda-trees in the verification community recently arose by 
the study of recursion schemes. It could be shown [10\ [TT] that under a certain "safety" 
condition the (infinite) terms generated by recursion schemes have decidable monadic second 
order theory. For our purpose it is enough to consider recursion schemes as a convenient 
means to define regular lambda-trees. 

Definition 4.1. Recursion schemes are given by a set of first-order terminal symbols, 
simply-typed non-terminal symbols and for every non-terminal F an equation 

Fx^ = e 

where e is an expression of ground type built up from terminals, non-terminals and the 
variables by type-respecting application. There is a distinguished non-terminal symbol 
S of ground type, called the start symbol. 

Definition 4.2. Each recursion scheme denotes, in the obvious way, a partial, in general 
infinite, term built from the terminals. Starting from the start symbol, recursively re- 
place the outer-most non-terminals by their definitions with the arguments substituted in 
appropriately. 
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S - F. ^' = ^'(^g) 

rx ix[r[gx)) ^ ^^^^^ 

Figure 3: Two recursion schemes. 

Definition 4.3. To every recursion scheme is associated a regular lambda-tree in the fol- 
lowing way. First replace all equations Fx^ = e by 

F = Xx^.e 

where the right hand side is read lambda term. 

Then, starting from the start symbol, recursively replace all non-terminals by their 
definition without performing any computations. 

Remark 4.4. Immediately from the definition we note that the /3-normal form of the 
lambda-tree associated with a recursion scheme, when read a term, is the term denoted by 
that recursion scheme. 

Example 4.5. Figure [3] shows two recursion schemes with non-terminals F: l ^ t, F' : — > 
l) ^ L, W : {l ^ l) ^ L ^ L, and S,S': l. Their corresponding lambda-trees are the ones 
shown in Figure [2j The sharing of an isomorphic sub-tree arises as both are translations of 
the same non-terminal W. As already observed, these recursion schemes denote the terms 
shown in Figure [H 

Remark 4.6. The notion of a recursion scheme wouldn't change if we allowed A- 
abstractions on the right hand side of the equations; we can always build the closure and 
"factor it out" as a new non-terminal. For example, the W^p in the definition of F' in 
Figure [3] should be thought of as the factored-out closure {Xx.ip(ipx)) which is part of a line 
that originally looked 

F'lp = i{^a){F'{Xx.^{^x))) . 



5. Continuous Normalisation for the Lambda Calculus 

As mentioned in the introduction, we are interested in the question, whether an au- 
tomaton 21 has a run on the normal form of some lambda-tree t. Our plan to investigate 
this question is by analysing the term t. 

However, there is no bound on the number of nodes of t that have to be inspected, and 
no bound on the number of beta-reductions to be carried out, before the first symbol of 
the normal form is determined — if it ever will be. In fact, it may well be that an infinite 
simply-typed lambda-tree leaves the normal form undefined at some point. 

Example 5.1. It should be noted that the typing discipline does not prevent the problem 
of undefinedness. This is due to inherently infinitary nature of recursion schemes. Let 
y: (t — > t) — s- t, I: t ^ t, and S: l he non-terminal symbols and consider the recursion 
scheme 

Y(p = (p(Y(p) 
Ix = X 
S = YI 
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Figure 4: The lambda-tree associated to the recursion scheme in Example 15.11 
with start symbol S. 

Computing the normal form of the associated lambda-tree gives the following infinite 
reduction sequence S = YI -^p liYI) —^i3 YI -^i3 ■■■■ Of course, the fact that the 
computation will never produce a terminal symbol can, in this example, also be trivially 
seen from the fact that the whole recursion scheme does not contain any terminal symbol. 

Whereas the unboundedness of the number of symbols to be inspected is merely a huge 
inconvenience, the possibility of undefinedness makes it unclear what it even is supposed to 
mean that "2t has a run on the normal form of t" — if there is no such normal form. 

This problem of possible undefinedness of the normal form is similar to a situation in 
proof theory, where only strong principles guarantee the termination of the cut-elimination 
procedure, whereas the operation itself can be defined in primitive recursive arithmetic. 
Continuous Normalisation was introduced by Mints |12i [T3] in order to separate cut- 
elimination for semiformal systems from their ordinal analysis. The operational aspects of 
normalisation, i.e., the manipulations on infinitary derivations, are isolated and described 
independently of the system's proof theoretic complexity, but at the expense of introducing 
the void logical rule 

of repetition. Note that this rule is both, logically valid and has the subformula property. 

Using the repetition rule, the cut-elimination operator becomes primitive recursive and 
can be studied in its own right. As Mints observed, this cut-elimination operator can also 
be applied to non-wellfounded derivations, resulting in a continuous function on derivation 
trees (a concise exposition can be found in an article [6j by Buchholz). 

The possibility to handle infinite computations is particularly natural in the realm of the 
lambda calculus, where non-termination actually does happen. Let us explain the idea of 
continuous normalisation for the lambda-calculus [2| f3] by considering the recursion scheme 
in Example 15. 1[ The associated lambda tree is shown in Figure [H 

We look at the outer-most constructor of the term and see an application. Just from 
this knowledge we cannot deduce any constructor of the normal form. The normal form 
read as a lambda-tree could be an application as well, e.g., if the left term is a terminal; 
since we're trying to compute the normal form as a S'-tree, even in this case we would 
have to inspect the term further to find out which terminal it is, the term starts with. 
But, more importantly, it could also be that the left term is a A-abstr action, in which a 
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beta-reduction has to be carried out and the normal form could look almost arbitrary. So 
we don't know any constructor of the normal form yet. On the other hand, we want to be 
uniformly continuous with identity as modulus of continuity; in other words, we want to 
ensure that the output of all nodes of level k only depend on the input of level k. We solve 
this problem by outputting TZ, signalling that we have to read more input to decide what 
the normal form will look like. 

Having output TZ we now may look at the next level of the term. Seeing the Xip we 
still don't any constructor of the normal form, but at least we know that we have to wait 
for a different reason — we have to carry out some computation. Therefore we output a /3 
constructor, signalling that the delay in the output is due to a beta-reduction being carried 
out. Note that in a certain sense (made precise in Lemma 15. 4p this /3 "justifies" the first 
7^-constructor. The application we have seen in the first step has disappeared due to the 
beta-reduction being carried out. A different form of justification would be outputting a 
S'-term, where the lambda-tree reading contains an application. For example the term 
fa with f and a both terminals would have continuous normal form 7?.(f (a)), with the TZ 
justified by the fact that f is applied to one argument a. 

After this beta-reduction the term I{YI) is remaining, so we're looking at an application 
again, and, as before, wait by saying TZ. Again, there is a lambda abstraction to the left 
of the application, so we say /3 and carry out the reduction due to the \x, leaving us with 
YI, which happens to be the term we started with. Of course, we don't know this yet, as 
the only thing we see so far is the outermost @. But the fact that we arrived at YI again 
ensures that the pattern TZPTZP ... of the normal form will repeat. 

Let us now formally introduce continuous normalisation. As mentioned, we extend the 
language by two new terminals. The 7^-constructor for a delay due to inspection of an 
application and the /3-constructor for a delay due to a beta-reduction. 

Definition 5.2. Define S = S' U {TZ, (3} with TZ, P two new terminals of arity one. 

The continuous normalisation procedure, which will compute the continuous normal 
form, follows the informal description above. In other words, if we see an application 
we output TZ and carry on by reading more input. If we see a lambda-abstraction our 
typing restrictions force that we have to have collected some arguments before, so that a 
beta-reduction has to be carried out, accompanied by a /? constructor; in the more general 
case [2] of the untyped lambda calculus [5] we would have to do a case distinction on whether 
we have at least one argument collected or not. In the latter case the normal form would 
start with a A. Finally, if we find a terminal symbol we construct a term, which is the 
terminal symbol applied to the continuous normal forms of the arguments collected so far. 

In our official Definition 15.31 of the continuous normal form, the expression t@ t should 
be read as "the continuous normal form of t, with arguments ti, . . . ,tn collected already". 
Correspondingly the continuous normal form of t is t@{) which we also abbreviate by t^. 

Definition 5.3. For t, t closed infinitary simply-typed lambda-trees such that tt is of 
ground type we define a E-term t@t coinductively as follows. 



Here we used r[s/2;] to denote the substitution of s for x in r. This substitution is necessarily 
capture free as s is closed. By f{Ti, . . . ,Tn) we denote the term with label f at the root 
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and Ti, . . . , r„ as its n children; this includes the case ra = 0, where f() denotes the term 
consisting of a single node f. Similar notation is used for TZ{T) and P{T). Moreover we 

used as a shorthand for r@(). 

The term is also called the continuous normal form of t. 

A first observation is that the definition obeys the informal idea of "justifying" the 
delay constructors. We note that, whenever the number of collected arguments increases 
we output a TZ, and whenever the number of arguments decreases (due to an argument 
being consumed by a beta-reduction) we output a /3. This bookkeeping of the number of 
collected arguments is made precise in the next lemma. 

Lemma 5.4. If t@{ti, . . . ,tk) = >Vi(W2(. .. (W^.f (?")))) with Wi, . . . ,We G {7^,/3} then 
the equation k + \{i \ Wi = Tijl = \{i \ Wi = P}\ + f,{f) holds. 

Proof. A simple induction on i. li i = 0, the claim k = U(f) follows from the typing 
requirements. Note that we allowed the expression t@t only oftt is well typed of ground 
type. If £ > we distinguish whether t is an application or a lambda-abstraction. In cither 
case we unfold the definition of t@t once and can apply the induction hypothesis. □ 

Next wc will study the relation between lambda terms, their continuous normal forms, 
and their normal forms in the usual sense, in case the latter exists. This, on the one hand, 
will give a clearer picture on what the continuous normal form of a lambda term is. On 
the other hand, it will also justify the claim, that is not only technically more convenient 
for the development in the rest of this article to use continuous normalisation, but that it 
is also more informative. 

As an immediate observation, the reader might note that any property expressible 
by some automaton 21 working on E'-trees can be lifted to a property on E-trees by 
"ignoring the additional TZ and f3 constructors". The lifted property can also be ex- 
pressed by an automaton. We just have to extend the transition function S by setting 
S{q, TV) = S{q, (3) = {{q, *)}. In particular, using continuous normalisation does not 

cause any disadvantages for the decision problem we are interested in. 

We already mentioned that output up to depth h only depends on the input up to 
depth h. To make this idea precise, we first define a notion of similarity for lambda-tree or 
E-terms. The relation r ~/j s holds, if r and s coincide up to level k. This is made precise 
in the following definition. 

Definition 5.5. For S-terms r, s we define, by induction on k, the relation r «fc s by the 
following rules. 

ri si, rj Kik se 

^ ^0 * f(ri, ...,rk) «A;+i f{si, ■■■,se) 
For lambda-trees r, s we define, by induction on k, the relation r f^k shy the following 



rules. 



r^kS r^kr' s ^k s' 



^0 * Xx.r ^k+i Ax.s rs ^^k+i r's' 



X^kX f Rife f 

Proposition 5.6. // r and s are both T,-terms or both lambda-trees and £,k E N, then 

r ~£ s and I >k imply r Wfe s. 

Proof. Induction on k. □ 
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Remark 5.7. Obviously, s = t holds if and only if Vfe.s ~fe t. Moreover, each of the 
relations is an equivalence relation. 

Proposition 15.61 and Remark 15.71 together show, that we obtain a metric d if we set 
d{s, t) to be 0, if s = t and otherwise set d{s, t) = where k is maximal such that s t. 
We will now show that continuous normalisation is continuous with respect to this topology. 
In fact, we even show a stronger statement of uniform continuity. 

Proposition 5.8. // s k.^ s' and ti k.^ t[, . . . , tn t'^ then s@t ra^ s'@t ' . 

Proof. Induction on k. li k = 0, there is nothing to show. If A; > 0, then the outermost 
constructors of s and s' have to coincide. We unfold the definitions of s@t and s'@t ' once 
and apply the induction hypothesis. □ 

Now that we know (by Proposition l5.8p that continuous normalisation does not consume 
too much input in order to produce the output, we aim at showing that the output is actually 
useful and not just a pointless collection of delay constructors. We have already seen (in 
Lemma l5.4p that the TZ constructors are justified by either /3 constructors or the arity of 
the terminals in the output produced. So what remains to show is, that the (3 constructors 
are not arbitrary, but in a reasonable sense related to the underlying computation. In 
fact, it will turn out, that every (3 constructor corresponds to a beta reduction in the head 
normalisation strategy; compare Lemmata 15. 91 and 15. 101 It is well known that this reduction 
strategy finds a normal form, if there is one. 

Lemma 5.9. If t@T = >Vi(. . . (>Vfc(f(si, . . . , sj(f))))) with Wi G {7^,/3} then there are 
lambda-trees ri, . . . , r^^p such that 

• tt reduces in n head-reduction steps to fF* where n is the number of P constructors, i.e., 
n=\{i\Wi = f3}\, and 

• for each i it holds that r^ = Si. 

Proof. Induction on k. li k = 0, inspection of Definition 15.31 of t@t shows that it must be 
the case that t = f. So, in this case f@t = f(tf , . . . , we can take to be t . 

If A; > and Wi = /? it must be the case that t = Xx.t'. Then (Ax.t')@(ii, *2, ■■■ ,k) = 
P{{t'[ti/x])@{t2,...,te)). So {t'[ti/x])@{t2,...,te) = >V2(. • • (>Vfc(f(si, . . . , ^^(f))))) and the 

induction hypothesis gives us with = Sj such that tt reduces in n — 1 steps to fr^. 
Since, moreover, in one head reduction step, tt = {\x.t')tit2 . . .ti reduces to t'[ti/x\t2 . . .tg, 
this yields the claim. If /c > and Wi = TZ the claim is immediate from the induction 
hypothesis. □ 

Lemma 5.10. If tt reduces by n head reduction steps to fri . . . rjj^j) then for 
some >Vi,...,>Vfc G {TZ,f5} with \{i \ Wi = I3]\ = n we have t@T = 
Wi(...(>V,(f(rf,...,r„%)))). 

Proof. Induction on n. If n = then tt must be of the form fF* and, indeed, t@t = 

^(. • • (7e(f@0)) = • • (^(fK, ■ ■ ■ , 4)))))- 

If n > then t is of the form {Xxs)'s*. Writing t ' for t we note that t@_t = 
7^(. . . {n{{Xx.s)@T'))) =n{... {n{P{s[t'^/x]@{t'2, . . . , 4))))). since the head reduct of tt 
is s[t'i/x\t'2 ... 4) the induction hypothesis yields the claim. □ 
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It should be noted that in the special case of t being the empty list, Lemmata 15.91 
and 15.101 talk about the continuous normal form of t. 

6. FiNiTARY Semantics and Proof System 

Let 21 be a fixed nondeterministic tree automaton with state set Q and transition 
function 5: Q x S ^ <p((Q U {*})^). The main technical idea of this article is to use a 
finite semantics for the simple types, describing how 21 "sees" an object of that type. 

Definition 6.1. For r a simple type we define [r] inductively as follows. 

w = m) 

In other words, we start with the power set of the state set of 21 in the base case, and use 
the full set theoretic function space for arrow- types. 

Remark 6.2. Obviously all the [r] are finite sets. 

Example 6.3. Taking 21 to be the automaton of Example 12. 71 we have [i] = {0, {^2}, {^i}) Q} 
and examples of elements of [l — > l] include the identity function id, as well as the "swap func- 
tion" swap defined by swap(0) = 0, swap((5) = Q, swap({g2}) = {qi}, and swapdgi}) = 

{Q2}. 

Definition 6.4. [r] is partially ordered as follows. 

• For R,S £ [l] we set i? □ 5 iff C S. 

• For /, g G [/9 ^ cr] we set / E (yf iff Va G [p]-fa Q ga. 

Remark 6.5. Obviously suprema and infima with respect to C exist. 

We often need the concept "continue with / after reading one TZ symbol" . We call this 
7^-lifting. Similar for (3. 

Definition 6.6. For / G [p^ — > we define the liftings TZ{f),(3{f) G [p^ — > as follows. 

7^(/)(r) = {q\6{q,'R)nfE'x{*}x...x{*}^$} 
Pif)i^) = {cz|%,/3)n/^rx{*}x...x{*}/0} 

Remark 6.7. If 21 is obtained from an automaton working on S'-terms by setting 6{q, TZ) = 
S{q, P) = {{q, *,...,*)} then 7^(/) = /?(/) = / for all /. 

Using this finite semantics we can use it to annotate a lambda-tree by semantical values 
for its subtrees to show that the denoted term has good properties with respect to 2t. We 
start by an example. 

Example 6.8. The second recursion scheme in Figure [3] denotes a term where the "side 
branches" contain 2, 4, 8, . . . , 2", . . . times the letter g. As these are all even numbers, the 
automaton 21 of Example 12.71 should have a run starting in 52- 

We now informally argue how a formal "proof" of this fact can be obtained by assigning 
semantical values to the nodes of the corresponding lambda-tree, which is the right tree in 
Figure [21 The notion of "proof" will be made formal in Definition 16.101 

So we start by assigning the root {92} G [t]. Since the term is an application, we have 
to guess the semantics of the argument (of type i — > t). Our (correct) guess is, that it 
keeps the parity of gs unchanged, hence our guess is id; the function side then must be 
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id 1-^ {92} 



r<^ ^ {^2} ^ {92} 



r,^ ^ {92} ^ {^2} ^ {^2} 



^ {92} 



r^hid 



^ {92} 



id I— > id and swap 1-^ id 



'^<fi,x l~ id and F'^ .j, h swap 
r^,x' I" id and T'^ h swap 



H {92} 



r^hid 




r^Hid 



h id and T'^ h id 



r,^,x ^ {92} and r'^^^ h {92} 
h {gi} and T'^^^, h {gi} 



h {^2} and r'^^^ h {gi} 
r<^,x' ^ {gi} and r'^ h {^2} 



r<^,x ^ {^2} and r'^_^. h {^2} 



^p,x' ^ {qi} and T' , h 



Figure 5: A proof that 21 has an infinite run starting in q2 on the denoted term. 



r^^^/, and T'^y are the 



something that maps id to {(72}- Let us denote by id 1— > {(72} the function in defined 
by (id ^ {(?2})(id) = {<72} and (id ^ {g2})(/) = if / / id. 

The next node to the left is an abstraction. So we have to assign the body the value 
{52} in a context where ip is mapped to id. Let us denote this context by T^. 

In a similar way we fill out the remaining annotations. Figure [5] shows the whole proof. 
Here T'^ is the context that maps if to swap; moreover T^^x, L' 
same as and T'^ but with x mapped to {^2} and {qi}, respectively. 

It should be noted that a similar attempt to assign semantical values to the other 
lambda-tree in Figure [2] fails at the down-most x where in the context F with F(x) = {(72} 
we cannot assign x the value {qi}- 

To make the intuition of the example precise, we formally define a "proof system" of 
possible annotations (F, a) for a (sub)tree. Since the [r] are all finite sets, there are only 
finitely many possible annotations. 

To simplify the later argument of our proof, which otherwise would be coinductive, we 
add a level n to our notion of proof. This level should be interpreted as "for up to n steps 
we can pretend to have a proof". This reflects the fact that coinduction is nothing but 
induction on observations. 

Definition 6.9. A context is a finite mapping from variables x'^ to their corresponding 
semantics [a]. We use F to range over contexts. 

If F is a context, x a variable of type a and a S [a] we denote by F" the context F 
modified in that x is mapped to a, regardless of whether x was or was not in the domain of 
F. 
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Definition 6.10. For T a context, a € [/o] a value, and t an infinitary, maybe open, lambda- 
tree of type p, with free variables among dom(r), we define 

r a □ t : p 

by induction on the natural number n as follows. 

• T \-'^a Qt : p always holds. 

• r a Q Xi : p holds, provided a Q T{xi). 

• r 1"^"^"^ a Q st : a holds, provided there exists / € [p — > cr], u G [/)] such that a C TZ{fu), 
T f Q s : p ^ a, and T \-^u Q t : p. 

holds, provided for all a € [p] there is a 6^ G [cr] such that 
fa E Piba) and r« 6„ □ s : a. _^ _^ _^ 

• ri-^/Cf:t— holds, provided for all a € ] we have fa C {g | 5{q, f) fl 
ai X . . . X aj(f) X {*} X ... X {*} 7^ 0}. 

It should be noted that all the quantifiers in the rules range over finite sets. Hence the 
correctness of a rule application can be checked effectively (and even by a finite automaton) . 
We write T a Qt : p to denote Vn.F a C t : p. 

Remark 6.11. Obviously T a Q t : p implies T \-'^ a Q t : p. Moreover, a' C a and 
r a □ t : p imply T h^a' Qt : p. Finally, T\-^aQt: p, if F' a □ i : p for some F' 
which agrees with F on the free variables of t. 

Also, in the second an in the last clause we may assume without loss of generality, that 
n > 0. However, this assumption is not necessary, and it is even technically more convenient 
not to do so. 

Remark 6.12. We notice that the proof informally given in Example 16.81 and shown in 
Figure [5] complies with the formal Definition I6.10[ Indeed, the annotations shown in the 
figure are valid for any n. 

As already mentioned, for t a term with finitely many free variables, the annotations 
(F, a) come from a fixed finite set, since we can restrict F to the set of free variables of t. 
If, moreover, t has only finitely many different sub-trees, that is to say, if t is regular, then 
only finitely many terms t have to be considered. So we obtain 

Proposition 6.13. For t regular, it is decidable whether F a Qt : p. 

Before we continue and show our calculus to be sound (Section [7]) and complete (Sec- 
tion [8]) let us step back and see what we will then have achieved, once our calculus is proven 
sound and complete. 

Proposition 16.13) gives us decidability for terms denoted by regular lambda-trees, and 
hence in particular for trees obtained by recursion schemes. Moreover, since the annotations 
only have to fit locally, individual subtrees of the lambda-tree can be verified separately. 
This is of interest, as for each non-terminal a separate subtree is generated. In other words, 
this approach allows for modular verification; think of the different non-terminals as different 
subroutines. As the semantics is the set-theoretic one, the annotations are clear enough to 
be meaningful, if we have chosen our automaton in such a way that the individual states 
can be interpreted extensionally, for example as "even" versus "odd" number of gs. 

It should also be noted, that the number of possible annotations only depends on the 
type of the subtree, and on 21, that is, the property to be investigated. Fixing 2t and 
the allowed types (which both usually tend to be quite small), the amount of work to be 
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carried out grows only linearly with the representation of t as a regular lambda-tree. For 
every node we have to make a guess and we have to check whether this guess is consistent 
with the guesses for the (at most two) child nodes. Given that the number of nodes of the 
representation of t grows linearly with the size of the recursion scheme, the problem is in 
fixed-par ameter-AAT^, which doesn't seem too bad for practical applications. 



7. Truth Relation and Proof of Soundness 

The soundness of a calculus is usually shown by using a logical relation, that is, a 
relation indexed by a type that interprets the type arrow "— >" as logical arrow "=^"; in 
other words, we define partial truth predicates for the individual types pj]. 

Since we want to do induction on the "observation depth" n of our proof • • C • : r we 
have to include that depth in the definition of our truth predicates • • : r. For technical 
reasons we have to build in weakening on this depth as well. 

Definition 7.1. For / G [p ^ t], n € N, t a closed infinitary lambda tree of type p — > i, 
the relation / f : ^ i is defined by induction on the type as follows. 

/ t-.'p^L iff 

yi < ni'a G [p'jVF' : 'p 

(yi. ai ri : pi) ^Mqe fa . 21, q mT" 

Remark 7.2. Immediately from the definition we get the following monotonicity property. 
If / □ /' and f ^^t-.p then f ^^t : p. 

Remark 7.3. In the special case = e we get 

S ^It-.i iff G SM, q ^" 

Here we used that < n.%q s iff 21, q s. 

Immediately from the definition we obtain weakening in the level. 

Proposition 7.4. // / t : p then f ^^^^ t : p. 

Theorem 7.5. Assume T a Qt : p for some T with domain {xi, . . . , 3:2}. For all i < n 
and all closed terms t : 'p' , ifii. T{xi) ti : p. then a t[t /x^] : p. 

Proof. Induction on n, cases according to F a Qt : p. 

• Case T \-^a Qt : p always. Use that a . . . : p holds always. 

• Case r a C Xj : p because oi a Q r(xj). 



Assume Vz. T{xi) ti : p-. We have to show a -^i^ Xi[t /x ] : p, which follows from 

ti 

one of our assumptions by Remark 17.21 

Case r a Q st : a thanks to / G [p — > cj], u G [p] such that a Q TZ{fu), 
F / C s : p ^ cr, and F li C t : p. 

Let £ < n -|- 1 be given, and t : p^ such that Vz. F(xj) ti : pi. We have to show 

a (st) [T/x^] : a. 

Let a have the form a = a ^ l. Let A; < £ be given and s : a , Ci £ [ai] such that 
Ci Si : ai. We have to show for all q G ac^ that 21, q {srjtr])©!^ . 

Tl.{sr]@(tri,'r')) 
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Hence it suffices to show that there is a g € S{q, TZ) such that 21, q sr/@(tr/, r^). 

Since k < i < n + 1, we have k — 1 < n. Using Proposition 17.41 various 
times we obtain Vi. r(xj) ^^"^ ti : pi. Hence we may use the induction hypothe- 
ses to ri-2[/Es:/9^(7 and obtain f srj : p ^ a . Applying the induction to 
r M C f : p yields u -^^^ ti] : p. 

Applying Proposition 17.41 to q Si : ai yields q Si : Therefore G 

fu7^. 21, q \='^-^ sr]@{tr], 7^). 

Since a Q TZ{fu) we get "iq € ac^3g € 6{q, TZ). q G /uc^. This together with the last 
statement yields the claim. 
• Case r f E Ax^'.s : p —>■ a thanks to Va G [p] 36^ € [ct] such that fa C /3(&a) and 
6„ □ s : a. _^ 

Let < n + 1 be given and t : with T{xi) U : pi. 

We have to show / {XxPs'^)ri : p a where rj is short for [t /x^]. 

Let 0" have the form cr = — > t. Let k < £ he given and r : p, J* : o^, c G [/)], 
Cj G [ai] such that c -4<^ : p, Q -4<2i : Tj. We have to show for all q G /cF* that 
21, g (Axs)r/@(r, 

^ V ' 

Hence it suffices to show that there is a (7 G 6{q, (3) such that 21, q |='=~i sif^&s^ . 

We know c r : p; using Proposition 17.41 we get c ^^^^ : /O and 
T{xi) ^jT^ ^* • Pi' Since k < i < n + lwe get k — 1 < n, hence we may 
apply the induction hypothesis to ba Q s : a and obtain ba ^21"^ '■ ^■ 

Since again by Proposition 17.41 we also know q ^^"^ Si : we obtain for all q G ba'c' 
that 21, q ^'^"^ sr]^^@T. 

Since /c C /3(&c) we get that Vg G fc7^3q G 6{q,f3).q G &cC^- This, together with the 
last statement yields the claim. 
. Case r / C f : i ^ i thanks to G [l]. /a" C | 6{q, f) n a" / 0}. 

Let £ < n be given and t : such that \fi. T{xi) -^^U : pi. We have to show 
/^|lf[£/£j:t^t. 

f _^ 
Let A: < £ be given and : T^, S £ [t] such that Si • We have to show for all 

q£ fs" that 21, g fQF". 

From -^^Ti : l we get V^j G Sj. 21, |=^ rf. Hence the claim follows since G 
3f e6ia,f).f gS". □ 

It should be noted that in the proof of Theorem 17.51 in the cases of the A-rule and the 
application-rule it was possible to use the induction hypothesis due to the fact that we used 
continuous normalisation, as opposed to standard normalisation. 



Corollary 7.6. Fort a closed infinitary lambda term we get immediately from Theorem 7.5 

5 □ t : t =^ yq e S.^q^"" t^ 
In particular, if ^'r^ S \Zt : l then G 5. 21, g |=~ t^. 
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8. The Canonical Semantics and the Proof of Completeness 

If we want to prove that there is an infinite run, then, in the case of an apphcation st, 
we have to guess a value for the term t "cut out" . 

We could assume an actual run be given and analyse the "communication" , in the sense 
of game semantics 0, between the function s and its argument t. However, it is simpler 
to assign each term a "canonical semantics" {{t))<^, roughly the supremum of all values we 
have canonical proofs for. 

The subscript oo signifies that we only consider infinite runs. The reason is that the 
level n in our proofs T \-'^ a Qt : p is not a tight bound; whenever we have a proofs of level 
n, then there are runs for at least n steps, but on the other hand, runs might be longer 
than the maximal level of a proof. This is due to the fact that /3-reduction moves subterms 
"downwards", that is, further away from the root, and in that way may construct longer 
runs. The estimates in our proof calculus, however, have to consider (in order to be sound) 
the worst case, that is, that an argument is used immediately. 

Since, in general, the term t may also have free variables, we have to consider a canonical 
semantics {{t))^^ with respect to an environment F. 

Definition 8.1. By induction on the type we define for t a closed infinite lambda-tree of 
type p = p ^ i its canonical semantics ((t))2ioo ^ [p] as follows. 

Remark 8.2. For t a closed term of base type we have ((t))2ioo = {g I 2t,g t^}. 

Definition 8.3. For F a context, t: p typed in context F of type p = ^ t we define 
((^))2loo ^ Ip] by following explicit definition. 

iii))koi^) = {l \ 37?. dom(r/) = dom(F)A 

(Vj; G dom(F).r?(x) closed A ((r7(x)))aoo E r(x)) A 
31": p'.((^))2ioo E ^ A 2t,g tr]©!"} 

Remark 8.4. For t a closed term and F = we have {{t))yi^ = ((t))aoo- 

Proposition 8.5. // s has type ^ i in some context compatible with T, and rj is some 
substitution with dom(r/) = dom(F) such that for all x G dom(F) we have rj(x) closed and 
(('?(a;)))2too E F(x), then 

Proof. Let G [5^] and q G ((s??))2ioo('^^) be given. Then there are with ((s^))2ioo E 

such that 21, g \=°° sr/@s^. Together with the assumed properties of r] this witnesses 

9e((4Soo(^)- □ 

Lemma 8.6. If r and s are terms of type a ^ p — > t and a, respectively, in some context 
compatible with T, then we have 

2too) 

Proof. Let G \p^\ and q G {{Ts))^^{'a') be given. Then there is rj with \/x G dom(F). {{ri{x))) 
F(x) and there are s^: with ((s^))2too E a* and 

21, q \='^ {rs)ri@T 
TZ.rT]@{sTi,'s*) 
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Hence there is a (7' G 5{q, TV) with 21, q' \=°^ rr}@{sr], s ). It suffices to show that for this 
q' we have q' G ((r))^^((s))^^^. 

By Proposition 18.51 we have {{sr]))(^oo E {{s))qioo "^^ aheady have {{s ))^oo Q a . So 
the given rj together with srj and witnesses q' £ (('"))2ioo((^))2ico^- D 

Lemma 8.7. Assume that Xx.r has type a —>■ J)^ —i- l in some context compatible with F. 
Then 

((Axr))r^(a)C/3(((r))5^L) 
Proof. Let S [p^] and q € {{Xxr))^^{a, a^) be given. Then there is an r] with \fx € dom(r) 
we have rj{x) closed and {{r]{x)))<^c>o E r(x) and there are s, s with ((s))aoo E a and 
((s^))aoo E such that 

21, g (Axr)r?@(s, 

^ V ' 

So there is a g G (5(g, f3) with 21, g rx[s]r]@s . It suffices to show that q G {{f))<£ooi^ )• 
By the properties of tj and since {{s))<^oo Q a we know that for all y G dom(r") we have 

((f?(y)))2too E r^.(y)- This witnesses g G ((r))2i^(a ). □ 

Lemma 8.8. {{x))'^ C r(2;) 

Proof. Assume x of type ^ t, let G [p^] and q G ((a;))2ioo(^) '-'^ given. We have to 
show r{x){a^). 

Since q G ((2;))2ioo(^)' t^i^re is rj with Ty(x) C a and s^: with {(s^))^^ E oT* and 
2t,g |=°° xry 

But then s witness that q G ((??(2;)))2too(o ) C r(x)(a ) where the last subset relation 
holds since {{r]{x)))t^oo E r(x). □ 

Theorem 8.9. T ((t))^^ Qt:p 

Proof. Induction on n, cases on t. Trivial for n = 0. So let n > 0. We distinguish cases 
according to t 

• Case rs'^ . By induction hypothesis T (('^))2ioo Q r : a ^ p and F l"^""*^ (('5))2loo E s : o". 
Moreover, by Lemma [M] ((rs))!^^ C ^((('^))2ioo(('5))2ioo)- Hence T ((rs))^^ Qrs: p. 

• Case Xx^r. By induction hypothesis we have for all a G [a] that |-^~ ((^))2ioo E ^ : 

_ pa 

By LemmalOwe have ((Axr))^^(a) C P{{{r))<£^). 
Hence P ((^^^r))!!^ □ Axr : a ^ p. 

• Case X. By Lemma \K8\ we have ((x))2jg^ E r(2;) and hence P {{x))y^^ Q x : p. 

• Case t = f a terminal symbol. We have to show P ((f))2ioo E f : — > 

So, let S G [T*] and g G ((f))2ioo('^)- Hence there are of type l with ((sj))2ioo E S'i 
and 21, g f@ J". 

So there is (gi, . . . , q^f),*, •••,*) G 5(g, f) with 21, g^ |=°° sf . But then g^ G ((si))aoo C 

□ 

Corollary 8.10. Ift: l is closed and of ground type then l~2| {g | 21, g i^} E t : i- 

Proo/. By Remarks El and we have {{t))l^ = ((t))2ioo = {<? I 21, g t^^}. So the claim 
follows from Theorem 18. 9[ □ 
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Finally, let us sum up what we have achieved. 

Corollary 8.11. For t a closed regular lambda term, and qq & Q it is decidable whether 
21, go t^- 

Proof. By Proposition 16.131 it suffices to show that {qq} nt:L holds, if and only if 
21,90 t^- 

The "if" -direction follows from Corollary I8.1UI and the weakening provided by Re- 
mark [HIlll The "only if" -direction is provided by Corollary 17.61 □ 

Note that, since there are only finitely many ways to extend a proof of level n to a 
proof of level n + 1 and all proofs of level n + 1 come from a proof of level n the corollary 
implies, by Konig's Lemma, that 21, q \=°° t^ implies {q} Qt:i. 

9. Model Checking 

Theorem 9.1. Given a tree T defined by an arbitrary recursion scheme (of arbitrary level) 
and a property ip expressible by a trivial automaton, it is decidable whether T \= ip. 

Proof. Let t be the infinite lambda-tree associated with the recursion scheme. Then t is 
effectively given as a regular closed lambda term of ground type and T is the normal form 
oft. 

Let 21,^ be the automaton (with initial state qo) describing y?. By keeping the state 
when reading a 7^ or /3 it can be effectively extended to an automaton 21 that works on 
the continuous normal form, rather than on the usual one. So 

T ^ 99 ^ 21, go t^- The 

latter, however, is decidable by Corollary 18.111 □ 

Remark 9.2. As shown in Section [21 the above theorem is in particular applicable to 
CTL-properties built from letters, conjunction, disjunction, "next", and "globally". 

Remark 9.3. As discussed after Proposition 16.131 the complexity is fixed-parameter non- 
deterministic linear time in the size of the recursion scheme, if we consider (p and the allowed 
types as a parameter. 

Finally, looking back at the technical development, it is not clear to the author, whether 
this approach can be extended in a smooth way to work for arbitrary automata, as opposed 
to only trivial ones. It is tempting to conjecture that appropriate annotations of the proofs 
with priorities could extend the concept to parity automata (and hence the full of Monadic 
Second Order). However, all the ways that seemed obvious to the author failed. 

One technical problem is that several paths might lead to the same state at the same 
node, but with different priorities visited so far. A more fundamental problem is the way the 
runs are constructed in the proofs throughout this article; we're given a run by induction 
hypothesis and add a move at its beginning. As all acceptance conditions ignore finite 
prefixes, all the promises to visit some state eventually are pushed in the future indefinitely. 
So, some promise on how long it will take for some promised event to happen seems to be 
needed in the annotations, at least if we want these global conditions to fit with our local 
arguments. It is not clear to the author whether and how this can be achieved. 
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